Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:
  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note icon Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select One-Time Password (OTP) authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass One-Time Password (OTP) authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    Username Enter a username.

    Disabled

    Select to disable the user account.

    Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication.
    One-Time Password (OTP) authentication Select to configure One-Time Password (OTP) authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken, then select the type of FortiToken used from the available options.
      • Hardware, then select the FortiToken device serial number from the Token dropdown menu.

      • Mobile, then select the FortiToken Mobile device serial number from Token dropdown menu, and select an Activation delivery method from Email or SMS.

      • Cloud, then select an Activation delivery method from Email or SMS.

    The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    Optionally, select Temporary token to receive a temporary token code via email or SMS.

    If the Temporary token is enabled with Email or SMS, the user configured for 2FA receives an OTP via email or SMS when attempting a 2FA login. This helps the user access the network with a temporary OTP in case they do not have access to their phone or a hardware token.

    The temporary token based authentication is automatically disabled the next time the end-user does a successful login using their FTK/FTM.

    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).

    See Configuring One-Time Password (OTP) authentication.

    FIDO authentication

    Select to enable FIDO authentication. This is disabled by default for new user accounts.

    Allow RADIUS authentication

    Enable or disable RADIUS authentication.

    Sync in HA Load Balancing mode

    Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.

    User Role

    Configure a remote user's role.

    Select whether the remote user is either an Administrator (along with related permissions), Sponsor, or a regular User.

     

    Role

    Select Administrator, Sponsor, or User.

     

    Full Permission

    Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.

     

    Use backup password

    Enable to set up a backup password to be used when the remote server is unreachable. This applies to administrator and sponsors only.

     

    Restrict admin login from trusted management subnets only

    Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies to administrator and sponsors only.

    User Information

    Enter user information as needed. The following options are available:

    • Email address
    • Mobile number and SMS gateway
    • Language
    • FortiToken Logo - see FortiTokens.

    TACACS+ Authorization

    Add a TACACS+ authorization rule. See Assigning authorization rules.

    Usage Information

    View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.

    Certificate Bindings

    Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
    Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

    For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

    Devices

    Add devices, based on MAC address, for the user account.

  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    Username Enter a username.
    Disabled Select to disable the user account.
    One-Time Password (OTP) authentication Select to configure One-Time Password (OTP) authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken, then select the type of FortiToken used from the available options.
      • Hardware, then select the FortiToken device serial number from the Token dropdown menu.

      • Mobile, then select the FortiToken Mobile device serial number from Token dropdown menu, and select an Activation delivery method from Email or SMS.

      • Cloud, then select an Activation delivery method from Email or SMS.

    The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    Optionally, select Temporary token to receive a temporary token code via email or SMS.

    If the Temporary token is enabled with Email or SMS, the user configured for 2FA receives an OTP via email or SMS when attempting a 2FA login. This helps the user access the network with a temporary OTP in case they do not have access to their phone or a hardware token.

    The temporary token based authentication is automatically disabled the next time the end-user does a successful login using their FTK/FTM.

    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).

    See Configuring One-Time Password (OTP) authentication.

    User Information

    Enter user information as needed. The following options are available:

    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Language
    • FortiToken Logo - see FortiTokens.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    Group Select the SAML server group to import users from.
  4. Select OK to import the remote SAML users.

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:
  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note icon Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select One-Time Password (OTP) authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass One-Time Password (OTP) authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    Username Enter a username.

    Disabled

    Select to disable the user account.

    Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication.
    One-Time Password (OTP) authentication Select to configure One-Time Password (OTP) authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken, then select the type of FortiToken used from the available options.
      • Hardware, then select the FortiToken device serial number from the Token dropdown menu.

      • Mobile, then select the FortiToken Mobile device serial number from Token dropdown menu, and select an Activation delivery method from Email or SMS.

      • Cloud, then select an Activation delivery method from Email or SMS.

    The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    Optionally, select Temporary token to receive a temporary token code via email or SMS.

    If the Temporary token is enabled with Email or SMS, the user configured for 2FA receives an OTP via email or SMS when attempting a 2FA login. This helps the user access the network with a temporary OTP in case they do not have access to their phone or a hardware token.

    The temporary token based authentication is automatically disabled the next time the end-user does a successful login using their FTK/FTM.

    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).

    See Configuring One-Time Password (OTP) authentication.

    FIDO authentication

    Select to enable FIDO authentication. This is disabled by default for new user accounts.

    Allow RADIUS authentication

    Enable or disable RADIUS authentication.

    Sync in HA Load Balancing mode

    Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.

    User Role

    Configure a remote user's role.

    Select whether the remote user is either an Administrator (along with related permissions), Sponsor, or a regular User.

     

    Role

    Select Administrator, Sponsor, or User.

     

    Full Permission

    Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.

     

    Use backup password

    Enable to set up a backup password to be used when the remote server is unreachable. This applies to administrator and sponsors only.

     

    Restrict admin login from trusted management subnets only

    Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies to administrator and sponsors only.

    User Information

    Enter user information as needed. The following options are available:

    • Email address
    • Mobile number and SMS gateway
    • Language
    • FortiToken Logo - see FortiTokens.

    TACACS+ Authorization

    Add a TACACS+ authorization rule. See Assigning authorization rules.

    Usage Information

    View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.

    Certificate Bindings

    Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
    Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

    For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

    Devices

    Add devices, based on MAC address, for the user account.

  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    Username Enter a username.
    Disabled Select to disable the user account.
    One-Time Password (OTP) authentication Select to configure One-Time Password (OTP) authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken, then select the type of FortiToken used from the available options.
      • Hardware, then select the FortiToken device serial number from the Token dropdown menu.

      • Mobile, then select the FortiToken Mobile device serial number from Token dropdown menu, and select an Activation delivery method from Email or SMS.

      • Cloud, then select an Activation delivery method from Email or SMS.

    The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    Optionally, select Temporary token to receive a temporary token code via email or SMS.

    If the Temporary token is enabled with Email or SMS, the user configured for 2FA receives an OTP via email or SMS when attempting a 2FA login. This helps the user access the network with a temporary OTP in case they do not have access to their phone or a hardware token.

    The temporary token based authentication is automatically disabled the next time the end-user does a successful login using their FTK/FTM.

    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).

    See Configuring One-Time Password (OTP) authentication.

    User Information

    Enter user information as needed. The following options are available:

    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Language
    • FortiToken Logo - see FortiTokens.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    Group Select the SAML server group to import users from.
  4. Select OK to import the remote SAML users.